Is Text Messaging Really Not Secure?

Why do we hear that Text Messaging (SMS) is not acceptable in health care? What aspects of it aren’t good for medicine? Is there some technical flaw? Do we really understand all the issues?

I decided to look into the matter, and would like to summarize this mainly for doctors and clinical people. I’ll avoid using terms like protocol payloads and PDUs of GSM networks.

SMS is the industry term for Simple Messaging Service, a technology designed about 30 years ago and designed to operate internationally by phone providers. The familiar 140-character limit that still exists on Twitter even to this day traces back to this standard. Today, most of us refer to SMS and Text Messaging as the same thing. 

Known SMS Security Issues

According to the Wikipedia article on SMS; your Message is Exposed Over the Air: We must remember that anything that goes over the airwaves can be captured and then analyzed. While encryption is applied when your messages are exchanged, until 3G was introduced, it was quite easy to decipher mobile messages.

In 3G and above the whole authentication and encryption have been revamped. One caveat is that you may not know if you are in 3G/4G mode; your phone can switch into 2G, for example, when you exhausted your data quota, or in a remote area where 3G is still not available.

Messages are Stored First: Because you could be offline for a while, the carrier must store the message on its computers until it can contact your phone again. If someone is able to break in, or steal your phone this can expose your messages.

Messages Can Hop Through Various Networks: This is not a direct point-to-point communication. Messages will go through various points in the network that you do not control. Someone could record the traffic and abuse it.

Destination Identity Cannot Be Confirmed: There is no real confirmation that the recipient is indeed the person to whom you want to send the message. In other words, you can send a message to a wrong number, and it would be too late.

Identity of Message Source Can Be Faked: Just as Caller IDs can also be faked, so can the source of the SMS message. Someone can use a caller ID of a doctor or a family member of a patient you know to get some important info.

Is SMS Really That Bad for Security?

Using text messaging exposes you to many security issues, but don’t lose sleep over this. Most messages are exchanged without an incident. But it is time to move to a more secure solution where the access is controlled by you or your hospital’s administrator; that you have an assurance of exactly who you are communicating with; and data are always encrypted from the moment you push the “send” button.

For HIPAA, you need to have additional security related controls such as being able to audit your medical information distribution and sharing activities. This would normally require a more healthcare dedicated system such as your EHR, PACS or our medically dedicated mobile photo solutions.

What We Recommend

First and most importantly, the majority of security breaches are due to the mismanagement of security practices. For example, do you change your office internal WiFi password when an employee quits? My other blog post, Seven Essential Low Tech Practices for Security Compliance, touches on this issue. Correct those “people” issues first.

There are many great secure messaging and sharing services out there and many of them are free or have great free trial programs. So why keep taking the risk? I would search for “Secure Messaging” or “Secure Photo Sharing” on your search engine and try them out.

Credit: Wing Du